How Audits Work
Designed as a collaborative process, internal audits should assist management with improving their risk management and the analyzing the control systems used to reduce these risks. OARC strives to create constructive and collaborative working relationships with our clients. By focusing on clear communication, we work to ensure there are no surprises in the final product. Our goal is not just a final audit report, but ultimately improved business processes that management chooses to implement to better manage their business risks.
Although every audit is unique, the audit life cycle is similar for most engagements and normally consists of the following stages:
Stages of an Audit
Every year an audit plan is developed based on a University-wide analysis of auditable entities, their inherent level of business risk, and input provided by senior management. The annual audit plan is presented and approved by the Board of Visitors' Compliance, Audit, and Risk Committee. OARC is responsible for executing this plan and reporting results back to the committee.
During the planning phase, contact with the client is initiated and background information is gathered to gain an understanding of the risks and controls in place. Typically completed through a risk assessment process, this phase is critical to ensure the engagement is appropriately scoped and is initiated with the objectives in mind that will produce the most impact. Once audit objectives and scope are defined the audit program is created, which is the blueprint for conducting the audit and accomplishing the audit objectives. During this phase you can expect the following:
- Notification email and letter: With a few exceptions, clients are notified in writing when their areas is selected for review. This letter may contain a preliminary survey or request for information and typically a request for an entrance conference meeting.
- Entrance conference: Depending on the type of engagement, often we will plan an in-person meeting to introduce the audit staff, review the audit process, and discuss our preliminary deadlines. It is also a time for the client to bring concerns forward for consideration.
The evaluation phase of the audit is referred to as fieldwork. This phase includes assessing the adequacy of internal controls and compliance, testing of transactions, records, and resources, and performing other procedures necessary to accomplish the objectives of the audit.
It may be necessary for the audit team to conduct interviews with departmental personnel and to review departmental records and practices; however, efforts will be made to minimize disruptions and cooperate with audit clients to make the audit process as smooth as possible.
Throughout the audit, audit clients will be informed of the audit process through regular status meetings and/or communications. The audit team makes every effort to discuss audit observations, potential issues, and proposed recommendations as they are identified. In some instances, it is necessary to work directly with audit clients to determine or validate the root cause and discuss ways to eliminate the root cause.
The final result of every audit is a written report that details the audit scope and objectives, results, recommendations for improvement, and the management corrective action plans.
Draft Report – Audit reports are typically prepared in draft form and distribution is initially limited to the immediate manager of the area so it can be reviewed prior to further distribution of the audit report. If recommendations are made, written responses detailing the following are requested of the audit client and are included in the final audit report. Corrective actions includes:
- A corrective action plan to resolve the problem and its root cause,
- The person responsible for implementing the corrective action, and
- An expected implementation date.
Closing Meeting – If necessary, a closing meeting will be held to provide an opportunity to resolve any questions or concerns the audit client may have about the audit results and to resolve any other issues before the final audit report is released.
Final Audit Report – The final audit report is addressed to area under reviews senior management. The final report distribution will be discussed during the closing meeting. Lastly, the final audit report will be presented at the next Board of Visitors' Compliance, Audit, and Risk Committee meeting.
OARC performs a limited follow-up review to verify the completion of the action plans and report their completion to executive management and the Compliance, Audit, and Risk Committee of the Board of Visitors. The timing of this review is based on the time frames included in management’s action plans included in the final report.
Types of Engagements
The objective of these audits is to contribute to the improvement of risk management and the control systems within the university by identifying and evaluating exposures to business risks and the controls designed by management to reduce those risks.
OARC performs risk-based audits of all university operations and activities to appraise:
- The reliability, integrity, and timeliness of significant financial, managerial, and operating information and the adequacy of the internal controls employed over the compilation and reporting of such information.
- Compliance with policies, procedures, standards, laws, and regulations.
- Measures taken to safeguard assets, including tests of existence and ownership.
- The adequacy, propriety, and cost-effectiveness of accounting, financial, and other controls throughout the university, as well as compliance therewith.
- Whether university resources are being managed in an economical, efficient, and effective manner.
The goal of policy compliance reviews is to provide the Board of Visitors and Executive Management with a clear picture of university-wide business practices and compliance with key university fiscal and administrative policies. Policy compliance reviews are most often conducted at the senior management (College, Vice President) level. There are approximately 25 senior management areas identified and each will be reviewed at least once during a five-year cycle. The ultimate objective of the reviews is to contribute to the improvement of risk management and the control systems by evaluating compliance with the following university policies and procedures:
- Fiscal Responsibility (Policy 3100)
- Employee Compensation and Leave Reporting (Policies 4296, 4298, 4300, and 4320)
- Expenditures (Policy 3200)
- Fixed Asset Management (Policy 3950)
- Funds Handling (Policy 3600 and University Bursar procedures)
- University Key Control (Policy 5620)
- Information Technology (Policies 1060, 7010, and 7105, and Standard for High Risk Digital Data Protection)
- Emergency Preparedness (Policy 1005 and 5615)
- State Vehicle Maintenance (Policy 5500)
- Family Educational Rights and Privacy Act (FERPA)
- Conflicts of Interest (Policies 4070 and 13010)
Other relevant university policies can be located at www.policies.vt.edu.
OARC performs advisory service reviews at the request of management. Advisory service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the university's governance, risk management, and control processes without the internal auditor assuming management responsibility.
Examples of advisory services include:
- management requested reviews, advisory services, and analysis
- collaboration and advice on campus initiatives
- reviewing changes in operations or processes (manual or IT systems)
- consultation on risks and controls within campus operations
- input on policy/procedure development
- advice provided through participation on campus committees
- training in the areas of governance, risk management, and controls
Scope of Audit Activities
OARC assists the university in maintaining effective controls (encompassing governance, operations, and information systems) by evaluating their effectiveness and efficiency and by promoting continuous improvement.
OARC ascertains the extent to which operating and program goals and objectives have been established and conform to those of the university, whether results are consistent with established goals and objectives, and management has established adequate criteria to determine whether objectives and goals have been accomplished.
OARC assists the university by evaluating university-wide business practices and compliance with key university fiscal and administrative policies at the senior management level with the objective of contributing to the improvement of risk management and control systems within these areas.
OARC assesses and makes appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
- Promoting appropriate ethics and values within the university
- Ensuring effective organizational performance management and accountability
- Effectively communicating risk and control information
- Effectively coordinating the activities of and communicating information among the Board, external and internal auditors, and management